Malformed vsprintf in bftpd

[asynchro <asynchro () PKCREW ORG>]

There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf:

int sendstrf(int s, char *format, ...) {
 ....
  vsprintf(buffer, format, val);

when the function is called from NLIST command:

  else
      foo = 1;
      sendstrf(s, entry->d_name);
    }

This can be used to overflow the buffer of the vsprintf and execute
arbitrary code. I don't think it can be normally used for a remote attack
because bftpd removes all non-printable characters from input strings and
so it is not possible to remotely put a shellcode in a filename.
A dimostrative code is attached.


asynchro () pkcrew org
www.pkcrew.org

Attachment: bf-code.c
Description: